diff --git a/README.md b/README.md
index 20f5a41..ea335fb 100644
--- a/README.md
+++ b/README.md
@@ -386,10 +386,6 @@ https://github.com/ioerror/torbirdy/pull/11
 Some hardening is opt-in as it causes too much breakage to be enabled by
 default.
 
-* TCP SACK can be disabled as it is commonly exploited and is rarely used by
-uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf`
-configuration file.
-
 * An optional systemd service mounts `/proc` with `hidepid=2` at boot to
 prevent users from seeing another user's processes. This is disabled by
 default because it is incompatible with `pkexec`. It can be enabled by
diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index 162a9e3..1fcb0ea 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -36,6 +36,14 @@ net.core.bpf_jit_harden=2
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 kernel.kptr_restrict=2
 
+## Improves ASLR effectiveness for mmap.
+## Both explicit sysctl are made redundant due to automation
+## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
+## Do NOT enable either - displaying only for clarity
+##
+#vm.mmap_rnd_bits=32
+#vm.mmap_rnd_compat_bits=16
+
 ## Restricts the use of ptrace to root. This might break some programs running under WINE.
 ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
 ##